CVE-2026-50290
@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString
Description
## Finding **Location**: `core/src/server/render-to-string.ts:307-311` CSS value sanitization stripped `expression(` and `url(javascript:` using simple regex, but could be bypassed with CSS unicode escapes (`\65xpression(`), null bytes, or CSS comments (`exp/**/ression(`). **Mitigating Factor**: These CSS injection vectors only work in legacy browsers (IE6-IE10). SpecifyJS targets modern browsers. ## Status **Fixed in v0.2.136** — CSS sanitization now normalizes unicode escapes and strips CSS comments before pattern matching. Also checks for `behavior:`, `-moz-binding`, and `-o-link` patterns.
How to fix CVE-2026-50290
To remediate CVE-2026-50290, upgrade the affected package to a fixed version below.
- —upgrade to 0.2.136 or later
Is CVE-2026-50290 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-50290.
Affected packages (1)
- from 0, < 0.2.136
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |